Just a quick update as there's been a lot off private mailing going on. I can't (after a reasonable amount of filesystem and network analysis) find any evidence of how the compromise happened or what was being used to upload the files. The most likely seems to be a trojan app of some sort. If it's a rootkit it's a tricky one. The system will now be heavily firewalled (we don't need overly much access from offsite that secure things like ssh can't provide) and reinstalled. It also gives me a good oppertunity to 'upgrade' to 7.2 anyway ;0). Thanks to anyone who mailed me, you've all given me lots of information and support. JB (just when you think things are going great...) -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie